As reported today on Slashdot, in linux kernels prior to 2.4.23, it is possible to map the kernel into user space with brk(), since apparently no one ever bothered to check that the argument passed was in the lower 3 gig of the address space.
This is almost as funny as early linux kernels in which the LDT was user writable. In any case, the patch is to stick the following check in do_brk() in /mm/mmap.c if ((addr + len) > TASK_SIZE || (addr + len) < addr) return -EINVAL; This is of course a serious bug, since anyone on a vulnerable machine has access to kernel memory by writing a terse no-brainer C program, of which I will not give an example, because enough people on the Internet hate me already. :) An interesting occurrence, because it demonstrates that massive numbers of open source participants auditing the code aren't sufficient to ferret out every giant coding blunder. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"